WASHINGTON, D.C. –– Today, Subcommittee on Cybersecurity and Infrastructure Protection Chairman Andrew Garbarino (R-NY) and House Committee on Homeland Security Chairman Mark E. Green, MD (R-TN) delivered the following opening statements in a hearing to examine opportunities to improve the cyber regulatory regime, including the role the Cybersecurity and Infrastructure Security Agency (CISA) should play in cyber regulatory harmonization moving forward. 

Watch Subcommittee Chairman Garbarino’s full opening statement in a hearing entitled, “Regulatory Harm or Harmonization? Examining the Opportunity to Improve the Cyber Regulatory Regime.” 

As prepared for delivery:
 
I am honored to serve as Chairman of this Subcommittee again in the 119th Congress. Ranking Member Swalwell, it is great to serve alongside you for another term. I’d also like to welcome all our Members, returning and new. I’m looking forward to working with all of you, and to making this a productive Congress. 

As cyber threats from nation-state and criminal actors to information technology (IT) and operational technology (OT) increase, we must work hard to ensure cybersecurity is front and center on Congress’ agenda. Until we change our cybersecurity posture, we will keep hearing about the Typhoons – including new ones that will inevitably emerge. 

In that spirit, I am pleased to kick off the Congress with a bipartisan priority that is vital to our nation’s security: regulatory harmonization. 

For too long, we have talked about the cumbersome nature of the cyber regulatory regime without seeing the changes necessary to solve it. In fact, the Biden administration tried to add more regulations on sectors such as healthcare and water. Some sectors admittedly have a more mature cybersecurity posture than others.

While it is important for the federal government to work with those entities, more regulation is not the answer. With over 50 regulations at the federal level alone, it is time to streamline requirements to ensure they provide information that is useful, actionable, and reasonable within the timeframe requested. 

When organizations face their most vulnerable moment, they should only be thinking about one thing: securing their networks. Hours of duplicative compliance tasks and hundreds of thousands of dollars invested to navigate the landscape must come to an end. With President Trump’s mandate to increase government efficiency and reduce regulatory burden, we have an opportunity to reset the regulatory regime once and for all. 

In 2022, Congress passed landmark legislation to streamline cyber incident reporting. The Cyber Incident Reporting for Critical Infrastructure Act of 2022, or CIRCIA, directed CISA to develop regulations to set an acceptable standard for cyber incident reporting across all 16 critical infrastructure sectors. 

Unfortunately, as many of today’s witnesses reinforced last year, the scope of the proposed CIRCIA rule went far beyond congressional intent. Knowing that the deadline for the final rule is approaching, we will dig into the value of CIRCIA and what the future of the rule should look like. This new administration presents an opportunity to get cyber incident reporting right. We should seize it. 

Beyond CIRCIA, different regulatory agencies have imposed rules that directly contradict
congressional intent with CIRCIA. The SEC rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure are a perfect example of how rulemaking should not be done—that is, without buy-in from their key stakeholders: industry and Congress. 

As we strive for regulatory harmonization, collaboration across the public and private sectors is vital. We cannot allow malicious cyber actors to get ahead of us because paperwork holds us back from effective cyber risk management, mitigation, and response.

I look forward to hearing from our witnesses about the steps we can take to finally achieve regulatory harmonization.

Watch Chairman Green’s full opening statement. 

As prepared for delivery: 

Today’s hearing serves as a crucial opportunity to examine the effectiveness of the federal cyber bureaucracy. At a time when cyberattacks are growing more frequent and sophisticated—it is imperative that our regulatory process governing cyberspace is strengthened and harmonized. This will promote security and cooperation while minimizing cost and confusion.

Last May, this Subcommittee held a hearing focused on CIRCIA—the Cyber Incident Reporting for Critical Infrastructure Act of 2022. CIRCIA, among other things, directed CISA to create and implement regulations for cyber incident reporting across all 16 critical infrastructure sectors.
Although Congress passed CIRCIA nearly three years ago, widespread regulatory disharmony persists throughout the cyber incident reporting and response regime. 
 
There are now at least 50 cyber incident reporting requirements in effect across the federal government. These regulations are often duplicative and complex, requiring private sector owners and operators to invest significant sums into regulatory compliance rather than security. This patchwork of conflicting and complex regulations place a significant burden on reporting entities.

Let’s be clear: improving our nation’s cyber regulatory regime will bolster our national security. Current cyber incident reporting regulations require too much of the private sector, drawing their attention away from securing their networks. 

Federal regulations like the SEC’s public cyber disclosure rule clearly illustrate the urgent need for harmonization. This rule in particular is riddled with ambiguity and sets constrictive reporting timelines for organizations that experience cyber incidents. 

Ambiguous and conflicting standards like the SEC rule are allowing compliance to take priority over security, leaving our critical infrastructure more vulnerable to subsequent attacks. 
 
Injecting consistency and efficiency into the cyber regulatory regime is necessary to protect our nation from digital threats to our critical infrastructure. The security of our homeland depends on effective cooperation between the private and public sectors, and it is our duty to help remove any unnecessary barriers to collaboration.

Since CIRCIA is still in the rulemaking process until later this year, there is still time to ensure that regulatory effectiveness and harmonization are core features of our national cyber incident reporting requirements. 

The CIRCIA final rule must not place an undue burden on private sector entities that are critical to our national cyber defense. 

I want to thank our witnesses, Scott Aaronson from Edison Electric Institute, Heather Hogsett from Bank Policy Institute, Robert Mayer from USTelecom, and Ari Schwartz from the Cybersecurity Coalition for being here today.  

Most of today’s panel previously testified during our CIRCIA hearing last May, each providing their invaluable insight to this Subcommittee.

It is a pleasure to have each of you join us again today. With President Trump in office, we have a unique opportunity to create a common-sense cyber regulatory structure that ensures compliance serves its purpose: to share actionable information with the federal government.

As nation-state threats rise, we must do all we can to ensure our cyber professionals can focus their precious time, attention, and resources on securing our networks and critical infrastructure. I look forward to working with you all as we pursue this shared objective.

###